Why am I not getting any email?

I get a lot of email every day, and when it suddenly stops, that means there's something wrong. I'll walk you through what happened to me, and how I - kind of - shot myself in the foot, with the aid of a hacker.

That’s the question I was asking myself as I got up one Saturday morning and noted that I’d not received any email since Friday evening.

That’s highly unusual, particularly as some of those emails are automated notifications that happen on a schedule over night.

What I found was that a hacker had (inadvertently) caused me to DDOS myself.

I thought I’d share this peek into the complexities of email. While it might get a little geeky at times, here’s what happened, why everything actually worked as it should, and how I fixed it.

My email is run through my own domain name – similar to leo@randomisp.com where I actually own the domain randomisp.com. Rather than support my own email server on that domain, I simply have that email address forwarded to my Gmail account. I login to Gmail to read and send email, even though my correspondents never see the gmail.com address.

A quick test showed that it was in fact that Gmail account that had stopped receiving email. Test messages sent to it from other services, like Outlook.com, never arrived. Interestingly, email sent from that account was also not being delivered.

My first step was to set up actual email services on my private domain. (In my case, that was very easy to do as I run my own servers. An alternate solution would have been to change the forwarding to another service, like Yahoo! or Outlook.com where I also have accounts.) That got me back online to receive any new mail that arrived and allowed me to send email once again.

I actually wasn’t worried about the messages that hadn’t yet been delivered since the prior evening. As you might expect, I have another layer of backup. When mail is sent via my private domain, I also squirrel away a copy of the mail message as a backup in addition to forwarding it to my Gmail account. Those backups were available (although they were somewhat inconvenient to access), if I needed them. I elected to see how things played out before going that far.

Diagnosing the problem

I’m sorry to say that this won’t help the average email user, but because I run my own servers, I was able to look at activity logs generated by my mail server. I noted that when I tried to send something to my Gmail account, there would be an error message:

The user you are trying to contact is receiving mail too quickly. Please resend your message at a later time. If the user is able to receive mail at that time, your message will be delivered.

Too quickly? Well, that’s odd.

Note that this type of failure isn’t something that would generate an immediate “hard bounce” or failure notice. In most cases, the messages would be held by the email server that was trying to send them so that it could automatically try again later. A hard bounce back to the sender would only happen if a message couldn’t be sent after many attempts – usually several days.

So the mail was probably waiting for me, in limbo somewhere.

But then I realized that “limbo” was probably my own server. Because the mail had made it to my own domain to be forwarded on to Gmail, it was my server’s attempts to pass it on to Gmail that were being thwarted. That meant that the messages were sitting in the mail queue on my server waiting to be tried again later.

So, I went to look at my server’s mail queue.

Nearly 1000 messages were waiting to be sent. That’s definitely not a normal amount for overnight.

The life of a server on the internet

A quick diversion. As you may or may not know, almost any server that sits on the internet is under a fairly constant attack from automated hacking software and malware running on infected machines elsewhere on the ‘net. There are various forms of attack, and they happen at different rates and come from different locations – typically overseas.

But they’re pretty constant.

“

…almost any server that sits on the internet is under a fairly constant attack from automated hacking software and malware…

One form of attack is to attempt to break into content management systems (software that manages website publication) that might be installed on the system. I happen to use WordPress on several sites, and because it’s one of the most popular content management systems, it receives a lot of automated attacks.

Like Windows, the best defense is to keep the software as up-to-date as possible, but also like Windows, it’s a good idea to include additional security software. One such piece of software is a firewall plug-in for WordPress that blocks common types of attacks. It’s actually very nice to have that additional security in place.

One of the reasons why I know that it’s happening is that the firewall plug-in sends me an email when it blocks an attack.

And that’s where the pieces of the puzzle fall into place.

What happened

Sometime Friday night, one of my sites came under a heavier-then-normal hacking attack. The firewall plug-in did its job nicely and blocked them all, sending me an email about each one. The net result is that it sent something like 700 emails to me in less than a few minutes.

When those were forwarded to my Gmail account, Gmail balked. An email flood (or “mailnado” as someone on Facebook put it) can bring a mail server to its knees, so Gmail has to do something like this to protect itself. Fortunately, it’s not rejecting the mail as much as it’s saying, “I’m too busy. Go away and come back later.”

Gmail would thus throttle the incoming mail to my account for a while. It’s not published anywhere, but based on what I’ve seen, it’s probably on the order of 12-24 hours, and it is probably adjusted based on any continuing attempts to flood the server.

This hacking attempt to my website had caused my server to essentially create a Denial Of Service (DOS) attack on my mail account.

After doing exactly nothing, mail started to flow again later on Saturday. Even the messages that had originally been sent overnight would trickle in over the next day.

Of course, the question is how to prevent this type of thing in the future. In my case, I made two changes:

1) The firewall could be configured to not send a message on every similar attack type, but rather bundle them up into fewer emails.

2) I changed the email address that those messages were sent to so that they would be archived on my server, but no longer forwarded to Gmail.

Ultimately, my experience was nothing more than the system working as it should. Fortunately, I had the tools and access to properly diagnose what was going on. In retrospect, I believe that even without server access, the problem would have become obvious as the 700 firewall messages were eventually delivered. It just would have taken a day or two to sort it all out.

About Leo

Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Comments

Hi Leo, as one who hates TLAs & FLAs (Two, Three and Four Letter Acronyms) without an explanation the first time used, I was somewhat perplexed by DDOS and assumed it was something to do with Disc Operating System (yes, Disc – I’m English and prefer English to the American foreign language). Imagine my surprise to discover I must be a dinosaur if I still think of DOS in those terms.

I suppose it’s OK (Orl Korrect) that acronyms must move with the times but sometimes it’s hard for us oldies to keep up.

I was recently castigated (the unkindest cut of all) for interpreting SMEs for Small to Medium Enterprises when the writer (unexplained) meant Subject Matter Expert! Aah well, I’m not an expert as I take the meaning to be Ex – as in has been and Spurt being a drip under pressure.

I see hack attempts on our webserver every day. It’s always .PHP extensions which is no problem for us because we have no PHP pages…thus the reason they stand out in the error logs. I get a 404-Page Not Found report each morning that shows the standard “index.php” or “wp-login.php” attempts, I’m guessing that second one is a WordPress hack attempt. What’s interesting, once-in-a-while a really obscure string will appear like “some-strange-folder-path\some-strange-file-name.php” and if I search the net for that specific string, often I’ll only get a few hundred hits and they are always sites discussing a new exploit found in PHP. At that point I imagine someone who runs a bot network enters that string into their hacker script and it dutifully starts searching countless websites just to score a hit on that page. They fail on our site but it’s only a matter of time before they score a hit and I can only imagine what they do at that point.

I had 2 e-mail addresses on 1 small window where I could click on 1 and when I was thru with that 1 I just clicked on the other. Everything was fine until one day one, my personal one, disappeared. I’ve tried everything, followed the screen instructions, got a response once asking for more info, and now 2-3 months later still no recovered e-mail address. It is an @hotmail.com. Now what???

Tom:
“OK” originally stood for “ZERO KILLED”” as in The Civil War, (among The North (States) and The South (States) as the “Daily Statistics were Posted on a Chalk Board” for all to see, and know if their loved ones were still safe. (in the Civil War??? –NOBODY was “Safe”).
So over the years it has taken on different meanings. And here we are today……

Hey There! I’ve been having “major” problems with my ancestry.com &/or AOL. Ancestry.com sends out a montly newsletter, which I haven’t seen in almost 2 years. When I ask them about it they tell me to email AOL and have them check with the “postmaster” (whatever the heck that means) and I go to AOL and they tell me check with Ancestry and have them check with the “postmaster). I will say I get email from “support@ancestry.com” .. but not the monthly emails and/or anything else they send me including my notice of renewal. NO I don’t have them blocked and I’m really tired of getting the runaround from both of them. Any suggestions? Thanks much.

My record for getting my server to (unintentionally) spam myself sits at about 65,000 emails in a 2-hour period. I managed to kill the outbound queue before about 50k of those got forwarded, but I was clearing them out of Gmail as they trickled in for at least 18 hours. Automated emails are powerful, and can be dangerous.

Leo, I belong to a site I am working on making money. So I get emails constantly from this site. Well, so far I’ve had to open two different email accounts as they stop the sites emails from coming to me. Last night I opened a new Hotmail account. The site was able to send me all night and all day and now suddenly, I can’t get those emails they are sending me. I should have a good 20 emails from them right now but nothing for the last few hours. They have already asked me to change my email address once cause they couldnt’ send to my inbox.. now I’m seeing they are unable to send again. What can I do to get all those emails??

This site doesn’t really sound legitimate. But if you want to continue in that direction then your best bet is to not use a service such as Gmail, Hotmail, Yahoo and the like. Those services work hard to prevent spam. The only real option is to purchase your own domain name, and find a server which provides you with a back end management software (such as cpanel) where you can create and manage your own email accounts. You’ll be able to set up accounts that do not filter spam.

Honestly, I don’t know. What you’re describing makes me believe that the sender is being treated as a spammer, and being blocked. You can try getting a new email address on a completely different provider, perhaps.

I stopped receiving emails about a week ago,I tried to contact Yahoo.com.there’s no where that you can ask a question,until I came to the bottom of this site.A couple of times I almost got help.I changed my password,but then they wanted me to put in this crazy backup email address&phone number,I think I put in the email wrong but then they wanted me to put in the phone number I tried to explain the number wasn’t mine,because they were going to send me a code to put in I tried putting in my phone number but they said it was ain correct.number.They gone tell me I got the wrong number. Get these dumb ass people at Yahoo to open my frickin email address back up I got important stuff getting ready to occur.and this is not the time for it to be acting like a damn fool. {name removed}. …I am so…o mad

Free Newsletter!

Subscribe to The Ask Leo! Newsletter and get a copy of The Ask Leo! Guide to Staying Safe on the Internet – FREE Edition. This ebook will help you identify the most important steps you can take to keep your computer, and yourself, safe as you navigate today’s digital landscape.

Then each week in The Ask Leo! Newsletter you’ll get even more tips, tricks, answers and ideas to help you use your technology more effectively and stay safe doing so.